Trust fabric certificate

The CN of the trust fabric certificate must exactly match the hostname of the AttributeService and ArtifactResolutionService or equivalent URLs (usually the hostname of the identity provider server). The federation does not accept wildcard certificates as IdP trust fabric certificates.

A key length of at least 2048 bits is mandatory for trust fabric certificates. The federation recommends 2048 bits, as longer keys provide no additional practical security but are more computationally expensive for all parties.

Replacing an IdP trust-fabric certificate

A trust fabric certificate should be replaced before it expires. When replacing an embedded IdP trust fabric certificate we recommend that you follow the steps described below. Please note that this process may take between several days and several weeks so that updated metadata can propagate to federation SPs, so plenty of time should be allocated. If you aren't familiar with the process then allow at least a month.

Please note: There should be no loss of service with most federation SPs if the above procedure is followed, but there are some SPs that are unable to handle the presence of more than one certificate in an IdP's metadata. You should aim to minimise the time for which two certificates are together in the metadata to reduce service disruption with any such SPs.